Cyber Warfare In Cars – Forbes
Should another world war occur, there will be two new domains of conflict in addition to air, naval and land forces: space and cyber warfare. The latter will be the first-ever, man-made domain of conflict, while the others are provided by nature. The highest aerial position is always a basis of competitive advantage in a conflict, be it for communications, observation, navigation or sniper fire. Space, therefore, provides an inherent military advantage. As the number of people who have access to the Internet reaches 5 billion, the world will see a 20-fold increase in the number of hackers globally, causing an increase in cyber warfare.
Incidents like the attack on Iran’s nuclear facilities – a first of its kind where the Stuxnet virus was aimed at industrial programmable logic controllers, most likely by Israel or the U.S., or both – or the attack on Sony Sony PlayStation and its online entertainment site – which took the company’s network down for about 10 days and cost them about $180 million in lost revenues – create a disturbing situation. In addition, these hackers are becoming more sophisticated in their advanced abilities to hack satellites. The Tamil Tigers in Sri Lanka did just that. They hacked and began controlling one of Intalsat’s satellites for the disbursement of their own propaganda. So, if nuclear power plants in Iran and satellites in space are hackable, what about a car?
For most of the past decade, car companies were in denial that their cars could be hacked. They argued that cars had limited connectivity and electronics, and the electronic control units (ECUs) controlling the engine don’t talk to the ECUs controlling the anti-lock break system (ABS), which, in turn, are not connected to the ECUs for infotainment; thus, they all work in isolation… so they thought. That was fine when cars were not sophisticated, but today’s mid-segment cars like the VW Golf have more than 70 ECUs and high-speed Internet connectivity. Premium luxury cars from BMW and Daimler Daimler have double the number of ECUs, and these car companies are pushing high-speed LTE network connectivity to enable features ranging from Internet radio to creating a Wi-Fi zone in the car. Tesla, which is big into connectivity, even provides over-the-air updates – updates just like a smart phone user does to update apps – browsing on the move, and dedicated app stores on multiple operating systems like Android, iOS, etc.
Cyber security has therefore emerged as a key concern in the automotive industry as researchers across the world have demonstrated threats and risks by presenting various scenarios, such as taking control of the car by turning off engines and headlights, disabling brakes, and taking over steering control denial of services. With the massive push for a semi-automated and completely driverless experience, electronics and associated software will become central to all of this innovation and pose a higher risk for hacking.
What does it really mean in terms of security and protecting the car from extremely talented hackers? There was a recent report from two computer security researchers, Charlie Miller and Chris Valasek, which showcased the 2014 Jeep Cherokee, 2014 Infiniti Q50 and 2015 Cadillac Escalade as the most remotely hackable vehicles from a list of 10-plus models. Even though they did not try to hack the vehicle, they arrived at this conclusion using a variety of vulnerability points in the vehicle – ranging from Bluetooth to Wi-Fi and other remote access technologies. This is not the first time hackers have done threat assessment of popular vehicle models.
There are two possible threats with car hacking. The first being taking control of the car and mission-critical functions, and the other, data protection and privacy given most cars today can provide a user profile and most consumers share such data (what the industry calls personal identifiable information) once they opt-in to a car company-enabled service. Ford had to send a detailed response to Senator Markey highlighting almost six different steps on how they manage customer and vehicle data, and how they protect and process it after a security breach.
There have been huge repercussions with data ownership and consumer privacy ever since the concept of big data began gaining traction in the automotive space. The idea is to protect personal data that is defined as information related to a person or data attached to unique identifiers, which can be identified directly or indirectly. This includes location data, vehicle locator, travel direction and associated driver cell phone number. In the U.S., the GAO (Government Accountability Office) has been directly involved. Senator Al Franken’s location privacy protection act of 2014 recommended practices include providing disclosure to consumers about data collection, usage and sharing; obtaining consent and providing controls over sharing location data; having clear data retention practices and safeguards; and finally providing accountability for protecting consumer data. However, the area where car companies are showing more interest currently is in the anonymous data set pertaining to on-board diagnostic (OBD) data, analytical data and probe data, which can be used to provide a plethora of useful ownership, insurance and maintenance-related services, and these in general are not associated to a specific user.
Most car companies today understand the threat, including Tesla, which hired hacker Kristin Paget, who had worked with Google Google, Apple Apple, and Microsoft Microsoft in the past as a security geek, to tackle the entire aspect of hacking. Other companies, such as Ford, are building white lists to separate vehicle-critical control systems from infotainment/connected solutions. They also use cryptography to prevent unwanted updates and also use code-signed updates to prevent unwanted threats.
The route to securing the car is not simple for car companies because the current generation of suppliers does not have capabilities in this space. This is why companies such as Cisco, Escrypt, Arilou Technologies, CGI and Utimaco are trying to get ahead in this ecosystem, providing a variety of secure options. Ultimately, by 2020, tier 1 companies will either absorb these companies or develop these capabilities in-house to offer to car companies as an integrated solution, along with their existing offers. On the other side, car companies will start hiring more white-hat hackers to integrate security as a cradle-to-grave concept, rather than an afterthought.
There is a lot at stake for car companies, ranging from brand image to protecting intellectual property and ultimately protecting its customers. Cross-industry collaboration is critical. Car companies need to look beyond the traditional automotive industry and learn how aerospace and IT industries protect their assets. Car companies also need to collaborate with each other to develop a few set of common standards, like the PCI standards in the payments industry. These minimum sets of standards should form a basic framework, on top of which companies can develop a specialized solution to help them in competitive differentiation. The problem is car companies hardly collaborate on much, as we’ve seen with electric vehicles recently. Even today they can’t seem to agree on a common plug and standards for them. Realistically we can’t expect them to come together to prevent car hacking unless the government steps in with legislation and standards.
Meanwhile, drive safely and keep your hands on the wheel.
This article was written with contribution from Praveen Chandrasekar, program manager, connectivity and telematics and author of Frost & Sullivan’s “Cybersecurity and its Impact on the Automotive Ecosystem,” to be published in October, 2014.